Hobby
Solo vibe-coder with one project
$29/mo
- 1 project
- Monthly scan - all 5 dimensions
- Full findings list (issues revealed)
- Basic remediation hints
- Trust Score + private report
Built for
Claude CodeLovableBoltCursorv0Replit
Yourvibe-codedappshippedfast.
Diditshipsafe?
One scan. One Trust Score.
Security · Accessibility · Performance · AI compliance · Runtime.
Paste a URL. Full audit in 60 seconds. Free.
Tested against
GlobalWCAG 2.2 AATop 10OWASPGoogleCore Web VitalsEUAI Act Art. 50EUGDPR DPAUSADA Title III
Why every vibe-coded app needs a trust scan
0+
Lovable apps leaked in CVE-2025-48757
0+
ADA lawsuits filed in 2025 alone
Aug 2026
EU AI Act Article 50 enforceable
One scan. Five dimensions.
The checks your AI coder skips.
Vibe coding ships fast and leaks hard. Stackproof is the scanner your app actually needs before real customers find the holes.
Security
Exposed Supabase service keys, hardcoded OpenAI/Anthropic/Stripe secrets in client bundles, wide-open CORS, admin routes returning 200 without auth, Row Level Security bypasses.
Why it matters: CVE-2025-48757 leaked 170 Lovable apps to the public internet. Same class of mistake.
Accessibility
Full WCAG 2.0 / 2.1 / 2.2 at A + AA, Section 508 (US federal), EN-301-549 (EU EAA), W3C ACT. Same engine that powers accesseon.com.
Why it matters: Over 8,600 ADA lawsuits filed in 2025. Average settlement: $25,000 - $75,000. Default Lovable outputs fail.
Performance
Core Web Vitals: TTFB, First Contentful Paint, Largest Contentful Paint. Transfer size. Request count. Render-blocking resources. Google's own thresholds.
Why it matters: Poor LCP drops you down the search ranking before a human ever sees your landing page.
AI compliance
EU AI Act Article 50 disclosure when a chatbot ships. Subprocessor listing when your client hits OpenAI/Anthropic/Gemini. PLD-readiness (security.txt, SLA). GDPR DPA availability.
Why it matters: EU AI Act is enforceable August 2026. EU PLD December 2026. Missing disclosures are personal liability territory.
Runtime behavior
Can an unauthenticated visitor read another user's orders? Does your signup endpoint rate-limit? Do your session cookies carry Secure + HttpOnly + SameSite?
Why it matters: The class of bugs that plaintiff law firms find first. Gated on DNS ownership proof + cyber insurance before it goes live per target.
Trust Score + public badge
One weighted 0-100 composite. Public verification page. Embeddable SVG badge your marketing team pastes on the landing page.
Why it matters: Your scan result becomes proof. Your customers trust you. Your competitors don't have one.
Every dimension is scored with the same severity formula so the composite is honest. Public methodology at /methodology.
How it works
Paste. Scan. Prove.
No installer. No GitHub integration. Paste a URL and get a Trust Score across five dimensions in under 60 seconds.
Paste a URL
Enter your deployed app URL. Optionally paste your Supabase anon key for an RLS audit (service-role keys rejected at the input).
Scan five dimensions
Security (exposed secrets, CORS, Supabase RLS). Accessibility (WCAG 2.2 AA + Section 508 + EN-301-549). Performance (Core Web Vitals). AI compliance (EU AI Act, GDPR DPA, PLD). Runtime (gated).
Get Trust Score + badge
Weighted 0-100 composite. Findings grouped by category with AI fix suggestions. Public verification page. Embeddable SVG badge for your landing page.
Free scan. No signup. Pro tiers unlock continuous monitoring, badges, and deeper audits.
Pricing
Insurance for your trust posture.
Monthly subscriptions keep the Trust Score live. Cancel in one click, keep the last scan forever. Annual billing is two months free.
Pro
Real SaaS with paying customers
$99/mo
- 3 projects
- Weekly scans
- AI fix suggestions (copy-paste code) for every finding
- Public verification page + embeddable badge
- Score-drop alerts + trend graph
- Slack / Discord webhooks
- Email digest
Team
Startups with 2-5 engineers
$299/mo
- 10 projects
- Daily scans
- GitHub Action + CI/CD gate
- Team seats + SSO-ready
- Priority support (12h SLA)
- API access (300 req/hr)
Agency
Running client portfolios
$699/mo
- 25 projects
- Daily scans
- White-label PDF reports
- Multi-workspace
- Priority 8h SLA
- API access (unlimited)
One-time · Pre-launch
Launch Audit - $999
Deep-dive single scan with manual review of high-severity findings, written executive summary, and 30-day Pro access bundled. Ship your Series-A demo with a public Trust Score they can verify.
Prices in USD. Paddle handles VAT and sales tax. Cancel anytime. See the full feature list at /pricing.
Your AI coder ships fast.
Stackproof makes sure it ships safely.
Paste a URL. Scan five dimensions. Get a Trust Score + badge that turns your customers into your marketing.
Run a free scanKnowledge Base
Frequently Asked Questions
What does Stackproof actually scan?
Five dimensions in parallel: Security (exposed secrets in client bundles, CORS misconfigurations, public admin endpoints, Supabase RLS when you paste creds), Accessibility (full WCAG 2.0/2.1/2.2 A + AA via axe-core, plus Section 508 and EN-301-549), Performance (Core Web Vitals, transfer size, request count), AI Compliance (EU AI Act Article 50 disclosure, subprocessor listing, GDPR DPA, Product Liability Directive readiness), and Runtime Behavior (authenticated probes, gated on DNS ownership + cyber insurance). One 0-100 Trust Score weighted across all of them.
Do I need to install anything?
No. Paste a deployed URL. We scan the live site with headless Chrome and a static analyzer, no installer, no GitHub integration, no agent. If you want the deeper Supabase Row Level Security audit, you paste your Supabase project URL + anon key into the optional advanced field. Service-role keys are rejected on the spot.
Is this safe to run against my production app?
The Security, Accessibility, Performance, and AI Compliance dimensions are passive - they read what a normal browser or curl would see, at normal rate limits, with an identifying User-Agent. Runtime Behavior (authenticated IDOR, rate-limit probes, XSS reflection) is disabled by default and only runs after you prove domain ownership via DNS TXT, accept the active-testing Terms of Service, and we have cyber/E&O insurance in place. See the methodology page for the full boundary.
How is the Trust Score computed?
Each dimension produces its own 0-100 score using the same severity-penalty formula (critical 25, high 10, medium 3, low 0.5). The Trust Score is a weighted average. v0.3 (current) weights: Security 0.35, Accessibility 0.25, AI Compliance 0.25, Performance 0.15. Dimensions that failed or were not run drop out and the remaining weights renormalize. Every scan stores its algorithm version so historical scores stay comparable. Full docs at /methodology.
What is the public badge?
A signed SVG under 3KB. You paste the <img> tag on your landing page. Clicking it takes your customers to /v/{token} - a public verification page showing the current Trust Score, per-dimension breakdown, and last-scanned-at timestamp. Specific findings stay private to you; the public page only shows the scores.
Does a high Trust Score mean my app is secure?
No. A high score means the automated checks passed at scan time. Business-logic vulnerabilities, social-engineering paths, supply-chain attacks, and anything requiring authenticated sessions to exploit are outside the scan's reach. Treat the score as a strong signal, not a guarantee. Full 'what this does not guarantee' section on /methodology.
What do the tiers cost?
Hobby $29/mo (1 project, monthly scan), Pro $99/mo (3 projects, weekly scan, badge, fix suggestions), Team $299/mo (10 projects, daily scan, CI integration), Agency $699/mo (25 projects, white-label reports). One-time Launch Audit $999. Annual billing is 2 months free.
What is Accesseon and how is it related?
Accesseon was the accessibility-only version of this product. Everything it scanned is still here as the Accessibility dimension of the Trust Score, same axe-core engine, same WCAG coverage. Existing Accesseon customers are unaffected.